For Vista — the catalog download for kb3198483 includes 2 files. One is the expected .msu standalone update but the other is an executable by the name mpsyschk.exe. There is no mention of this executable in the update documentation. My search for information indicates that this is a compatibility checker tool. My guess is that I should run this tool before applying the standalone update with which it was bundled. Unfortunately I have no idea what I’m supposed to look for when this tool has finished executing. Can anyone confirm this speculation and/or provide more information and guidance on how to proceed?

Woody, I was reading your Infoworld article and saw this, “Most important: You shouldn’t see an update for Security Monthly Quality Rollup…”

That was news to me because, I did the security-only patch for October, and am still seeing the November “Security Monthly Quality Rollup” under important updates.
I’ll hide it, but if youre Group B, watch what you update folks. I’ll now do the November Security Only update and see what comes up.

Thanks for doing this. I’m a Win7 holdout and these analyses are very useful. One thing I’ve noticed using process explorer is that wininit and a number of svchost processes seem to have TCP connections to choice.microsoft.com since the GWX thing started. Do you have any idea what this behaviour is?

For Win 7 x64, my system last week chose KB3197868 but I see that you are recommending KB3197867.
Does it matter which one is installed; is it necessary to install the former over the latter?
Thanks,
CMA

Let me rephrase: the links point to the Security-Only update (Win7 x64 and 8.1 x86), but also to the full Monthly Rollup (Win7 x86 and 8.1 x64). I think the latter two are not the ones you’d want for Group B, am I right?

Woody, you say on InfoWorld
“In particular, if you go poking around, you’ll probably see something called a “Preview of Monthly Quality Rollup for Windows 7″or Win 8.1. You don’t want it. The “Preview” is, in fact, a beta version of the rollup you can expect next month — and it isn’t baked yet. That’s why Microsoft calls it a “Preview.” I have no idea why the company put it in the Windows Update collection. Normal people should never go near the “Previews.”

In the windows XP/2003 times there was a section in Windows Update which was named beta or for Administrators only, if I remember well. I have never seen that section populated in the old times, but the current Preview type of patches are exactly why that section existed.
I suppose that in order to implement the same concept in the current versions of Windows would require redesigning of the Windows Update and as such Microsoft does not see it as cost-effective.
There is also a hidden reason for the current implementation. Most end-users who update do not care about filtering patches and as such have all the telemetry patches installed and active. Some of them also install the Preview patches, while Microsoft is able to collect real-time data from those users and draw conclusions for about 3 weeks in relation to the functionality and problems with the Preview patches. I think this is in fact the main reason why they are published in advance and presented in the current form.

There have been references to the “Catalog” which I thought at one time was not available. I think I may have missed something which has changed (?).

Can those of us who have “NEVER” just go ahead and do the “check updates”, and get them as we did last month? Apologies for the obtuse question, however with all of the acronyms being utilized, we non-techies are just “lost” at times.

Thank you for any clarification you may be able to provide, and all of the help you have provided in the past. 🙂

None of the links on your page for the Security Only patches seem to be working, the ones Woody has posted provide a direct download to all of them.

Clicking either the x86 or the x64 links to the Win 7 Security Only patches on your page take me to the MS Catalog but never progress to the KB downloads. However, both links to these patches from LAST MONTH are still working fine. I am using IE-11 with ActiveX enabled by the way.

@ Woody… Sorry Woody, I don’t know how to contact Dalai directly so I took the liberty of responding to him here.

I installed the convenience rollup for Windows 7 awhile back, installed the November updates, ran disk cleanup and now I got 2 updates from 2011. Security updates for .Net Framework 3.5.1. KB2446710 & KB2478662. They were installed prior to the disk cleanup. Do you know what’s going on?

Microsoft seems to have been reading my mind lately. I have more or less made a mental note to go Group B, but in fact I got so fed up that I mainly lost interest and began to behave like I belonged to Group W.

I still haven’t made a decision on the last set of proposed updates. They are back from September and August. The update balloon keeps popping up with the same old junk, which has not refreshed since.

Windows Update will continue hitting you with everything it’s got. If you’re in Group B or Group W, ignore it. There are a few minor updates from time to time that you’ll want – .NET Framework patches, servicing stack updates – but they’re nits.

Sorry, I did not make myself clear. I’m precisely worried because Windows Update did not hit me with anything since last September.

I am set to receive updates, but the last ones I received date from September. Most recent check for updates (automatic) is back from October. Windows seems to have stopped checking updates although it’s set to do it.

Is Group W for not installing anything any more? That’s where I’m at. (I posted some questions about updating in a different thread a month or two ago, but didn’t get a response, so opted to go with no longer updating.)

I think I’m in the same boat as clairvaux? I didn’t do the October updates either, but I turned off Automatic Updates (set to “Never Check”) and have left it like that since.

I only use my computer for logging into two secure sites (medical chart website, and a communication website for parents), Gmail, and the ABC website to watch a show once a week on-line. (And I guess on the rare occasion, Amazon.com to order something — but that was just recently for the first time in years.) All through Firefox (which I keep up to date, as I do with Flash in Firefox, as well). I just can’t risk updates messing up my (what is admittedly old) laptop because I definitely can’t lose being able to access to those two secure sites I mentioned. There are probably plenty of reasons why this is a horrible idea (though maybe not), but my thinking is that if I’m only using my computer for the things listed in the manner listed, then I can probably get by without updating anymore. (?)

Anyway, thanks for the hint! I would have left them non-working for IE users without it.

> the ones Woody has posted provide a direct download to all of them.

Not quite, and that’s what I’m trying to say. It’s only _one_ link for every security-only update while there should be _two_ of them, one for each architecture. Like mulletback says, too, some posts below mine.

That’s common for those 2 patches and I think it is a bug in the handling of the supersedence. Go ahead and install the old patches to keep WU happy. They will only be flagged as installed, because the components are already installed as part of other patches.
Your other choice is to uninstall the Convenience Update and re-run Windows Update as many times as needed to complete the updating of Windows, because some of the components are removed when uninstalling the Convenience Update. This is all clean and would bring you back mainstream.

The handling of the supersedence in the Convenience Update is the main reason why I don’t install and/or recommend the installation of the Convenience Rollup.
I still hope that this will be fixed soon and made available mainstream, as otherwise it is a valuable update, containing few components not available on Windows Update and belonging to the so called LDR branch.

Saying that, it is not a mistake to have the Convenience Update installed, only that you should expect this sort of glitches that you have already noticed. Based on current terminology, you could consider the Convenience Update in the class of Preview patches, good enough, but not perfect.

I think for Catalog access the equivalent https URLs should always be used, because historically the http URLs have been on and off.
There may also be differences between www. and non-www URLs, depending on the browser used.
I would stick with IE and https and ActiveX control for the catalog as the best option.

Woody: No problem installing the security- only patches on my Windows 7 & 8.1 Group B desktops (yay!). The only other patch of significance on both machines is the Malicious Software Removal Tool, but I’m now questioning if I really need it. I have fully up-to-date real-time protection from both Bitdefender and Malwarebytes Anti-Malware, and I really don’t know what else MSRT offers that is better/different. What’s your take on this?

there is no way a Security-Only Rollup could prevent offering of a Security Quality Rollup. Assume a scenario in which only the Security-Only Rollup of January 2017 gets installed on a machine. In comparison to the Security Quality Rollup of January 2017, you are now lacking the Security-Only Rollups of December, November and October. Windows Update cannot let you get away with that.

Except for rare emergency patches which are released outside of the regular schedule, I think we should keep the regular routine of updating based on the updates released on the main Patch Tuesday which is the second Tuesday of each month. This include the outstanding patches released for the month which are the Office patches from first Tuesday.

Thank you for explaining that ch100. I installed the convenience rollup to keep the number of updates down. But maybe I will uninstall it and install the regular patches. I just wish Microsoft would release a service pack 2 for Windows 7. Probably won’t happen.

If it is too much trouble and you are comfortable with the Convenience Update you might want to keep it a bit longer as it may eventually be revised and released on Windows Update. This fits nicely with the current direction from Microsoft.

1. What happens if you run Windows Update manually, by pressing the button?
You can do that even if you have it set to “check for updates but let me choose”.

2. Might you have turned off the “service” (in Services) of Windows Updates, based on some people’s recommendations in prior discussion threads here?
Doing that can stop Windows Update from checking with Microsoft’s servers, I think.
You might see if your Windows Update “service” has been “disabled”.

I just ran into conflicts between MSE and Malwarebytes Antimalware (mbam.exe). It looks like mbam scans are taking 2X or longer to run with the latest definitions. There’s a thread on Malwarebytes forum on it,

Ch100…Not sure I understand your point suggesting that we should not question security updates. I thought asking questions about updates…security and otherwise, was the purpose of this forum. You’ve apparently never been bitten by an update issue that you couldn’t resolve.

Other than the thing with KB2446710 and KB2478662 I personally haven’t had any other problems with the convenience rollup. I mean the glitch with those 2 updates isn’t really enough to make me uninstall the rollup.

I am in Group W, ie Never Check For Updates, for my Win 7 SP1 cptr, since July 2016.
……. Additionally, I’ve been running Linux Mint 17.3 off an external HDD on my Win 7 cptr, since I mostly do web-surfing. Others may not be able to escape the clutches of M$ n “caged” Windows, eg business users, office workers, online gamers, etc.
.
Once in awhile, I may need to run my non-updated Win 7 system. I do not feel insecure about malware since I hv an antivirus program installed n practice safe-surfing. M$ may instead be the biggest “malware” hacker in the world, ie in their “malevolent” quest to push Win 7/8.1 users onto Win 10.

I’m not very computer literate, but Woody–THANKS! You helped keep W10 off my W7 desktop and W8.1 laptop. I warily but resolutely joined Group B, prior to ‘patchocalypse’. (After all, I’d spent long hours and months “fighting the good anti-W10 fight.”) I did my Oct. security updates with your “step-by-step’s”. This month, you shortened things to a link. Kindness of heart! You’re a “man-of-the-people”, and a protector of those would have W10 w/o you. Question: I disabled Office 2013 updates over 2 years ago, when I found click-to-run didn’t allow me to choose among them. (Using Office v15.0.4551.1005). Should I restart Office updates? Thanks!

The links at Dalai’s site do work with IE now although Woody’s links above are to direct downloads bypassing the additional hoops to jump through required for using the MS catalog… but I have a question about the file names for this month’s patches.

Why do the file names contain that long string of characters this month? I’m seeing this from the links provided above and also directly from the MS catalog. They’ve never had that long filename before and the links to PREVIOUS month’s patches at Dalai’s site still don’t either.

I do realize the file’s name is certainly no big deal… I’m just curious.

I’m in group A, but I have two tasks related to KB2976978 disabled in Task Scheduler. Today I’ve installed KB3197874 (November 2016 Security Monthly Quality Rollup for Windows 8.1), after that I’ve checked the Task Sheduler and those two tasks remain disabled. KB2976978 still appears in optional updates list.
If Microsoft includes KB2976978 in Security Monthly Quality Rollup does its installation cause disabled tasks to be re-enabled?

When I enable Office updates, they download and install by default thru my wifi. They download in the background, not thru windows update. I never get to see or know what gets in. So I turned it off. Just enabled it. Updates went in, but don’t know what installed. This is on w8.1, 64bit laptop with Office 2013. Is there a better way?

I tried running Windows Update manually just as was posting my question yesterday, and nothing happened. Meaning it started searching, but found nothing and still offers the same stale patches list dating back from September. It still has the same October 11 date for Most recent check for udpates.

I did not turn the service off. Checking Services, Windows Update is set at Automatic (delayed start), Started. Started, I suppose, is related to the fact that I have just relaunched manually Check for updates, just in case ; but some more knocking over the head will be needed I’m afraid.

@ Walker ……. Servicing Stack Updates are similar to the previous Windows Update Client/Agent. They are needed for the installation of the optional monthly Convenience Update Rollups that were introduced by M$ for Win 7/8.1 in April 2016.
……. Since April 2016, they are needed for Windows Update to work n subsequently for the installation of the monthly Update/Patch Rollups.
.
B4 April 2016, Win 7 users needed to hv Windows Update Client/Agent installed b4 Windows Update would work to help them automatically install individual updates that they had selected, either with their Windows Update setting at Automatic or Manual(= eg “Check for updates but let me choose whether to download and install them”).

I haven’t wadded through all the comments here yet. I am a bit behind. I did the primary October update via the Catalog a while back, but did not do the October 2016 Security and Quality Rollup for .Net Framework…. (KB3188740). I had to download the fix for speeding up Windows Update, I finally did it this morning. So I assume, per instructions on previous Infoworld articles, I should install this one.

The only others listed in the Recommended are November 2016 Security Monthly Quality Rollup for Win 7 x64 (KB3197868), which I assume should be avoided as it is not the Security Only Quality Update. A question on this actually, when I download this month’s patch from the Catalog, this is supposed to go away from Windows Update, correct?

The last is the Malicious Removal Toolkit, which I assume going forward is always ok to install, unless noted.

I believe that the catalog downloads the update, named as Windows Update itself would download it – ie: with the md5 (or sha1?) as part of the filename. The links to download.microsoft.com are convenience links.

Funnily enough, they *should* result in the same binary but the July 2016 rollup KB3172605 does not for 64 bit. The x86 msu compares identical. Looking inside, the build date is different but not sure what other differences are (the cab files are *huge*!)

(I was trying to patch up an old script I did to automate this and the change to catalog broke it a bit)

The security fixes that are listed in this Security Only Quality Update 3197867 are also included in the November 2016 Security Monthly Quality Rollup 3197868. Update rollup 3197868 also includes improvements and fixes from October monthly rollup 3185330 that was released on October 11, 2016. Installing either update 3197867 or 3197868 installs the security fixes that are listed here.
If you use update management processes other than Windows Update, and you automatically approve all Security updates classifications for deployment, both this November 2016 Security Only Quality Update 3197867 and the November 2016 Security Monthly Quality Rollup 3197868 are deployed. We recommend that you review your update deployment rules to make sure the desired updates are deployed.
REALLY !!!!!!!!!!

Yes, that’s the way the post-patchocalypse system works. There’s a Security-only update, which (if you want it) you have to download and install manually. There’s also a Monthly rollup, which includes security and non-security patches.

If you’re in Group A, the rollup is fine. If you’re in Group B, you want the Security-only, and don’t want the rollup.

I hope my instructions make that clear.

Office 2010 patches operate independently, and they’re good right now.

I was surprised to find that, after you manually install the Security-only patch, from the Catalog, Windows Update will still offer the Monthly Rollup as a checked, Important update. If you follow my instructions for Group B, they say that you should uncheck the box for that patch. In

Most important: You shouldn’t see an update for Security Monthly Quality Rollup, but if you do, uncheck the box next to the patch. I haven’t seen that patch appear after installing the Security-only update, but ya never know. If you install the Security Monthly Quality Rollup, it will propel you into Group A.

Based on the experiences posted here, I’m having that changed to say

Most important: UNCHECK the box next to the Security Monthly Quality Rollup. If you install the Security Monthly Quality Rollup, it will propel you into Group A.

Yes, the .NET updates are OK. I install the MSRT, but some people balk because it does phone home — the exact details of the interaction aren’t known.

My guess is that you’re using Office 365, Office 2013 edition. As long as you’re paying for Office 365 you’ll get updated outside of the Windows Update sphere. And if you stop paying for Office 365, Office will stop working, so there’s kind of a symmetry involved. 🙂

The technology involved is called Click-to-Run. You’re running the Click-to-Run version of Office 2013, but until today you’ve disabled updates. You can keep track of the latest Office 2013 CtR versions here:

I don’t use Secunia’s advice for Windows, so I haven’t hit this one. Basically, I think you have to ignore Secunia. There are no individual KBs to chase down anymore. You can only choose Security-only or Monthly rollup. There’s no middle ground.

Thanks Woody! Not Office 365; not paying for it. I have MS Home and Student 2013, a 1-time buy. Loaded on my (then new) Toshiba laptop by store, who said I was stuck with it! Came as click-to-run. After I updated it today; I re-disabled auto updates till I can check out your advice! 🙂

If that’s the case, it just began this month. I’ve been using the links at Dalai’s site for months to download the “magic patches” and those ALL go through the catalog too. This month is the first time the filenames have included what you state is the “md5”.

If you’d like visual proof go to Dalai’s site and use any one of the links posted to acquire files BEFORE November’s. They ALL direct you through the MS Update Catalog to download them but starting just this month the “md5” is part of the filename. The same applies to links that others have provided here to pre-November patches/updates, none of them have ever had that in them.

Below is a link to Dalai’s site, Woody had it pinned in the upper right corner of his main page previously but apparently removed it once the “magic patches” became unnecessary.

I’ve had Secunia (version 2) for several years, however haven’t used it at all for a long time.

I would like to uninstall it, and just wondering if there are any residuals remaining after it’s uninstalled. Tried to find some information on this, however was not successful. I’ve read about some programs leaving “unwanted garbage” behind after being uninstalled.

If it helps, I created a batch file to try and sort the update process out (https://github.com/conoror/misc/tree/master/wupatch). It does the list one at a time starting with any service stack patches (if it doesn’t find any). Even if you don’t want to use it, the patches are all down at the end. It uses bitsadmin to do the actual download.

I’ve done my absolute best to make sure it doesn’t do anything boneheaded but I disavow all responsibility! It also has a silly little option to “updateme” to attempt to update itself.

I’d be interested if anyone finds it useful or finds it doing something completely stupid. It needs to be run interactively (ie: at a cmd prompt) but I could change that if people find that annoying…

I have two laptops here. The first installed KB3197867 no problem. The second looked ok and then sort of sat there. When I tried to switch user (to admin), the screen went blank and that was that. Hard reset. Seems ok on reboot though!

Yes, it is a very good site! I’ve been going there to get the Security Only updates until it wasn’t working with IE yesterday so I tried using the links in this thread instead.

When your links prompted me to Save the files I cancelled out after seeing those long filenames thinking something wasn’t right. After Dalai fixed the problem on his site so IE could download them I was quite surprised with all the hoops to jump through this month to download the exact same files that I didn’t download from the direct download links provided here. The links here is where I finally chose to get them from to avoid jumping through all those ridiculous hoops to download them through Dalai’s links.

I guess all’s well that ends well but it appears to me that something has changed downloading files through the MS Update Catalog this month. For SURE those long filenames just started this month.

I am thinking of crossing into group A, for convenience and because it seems almost inevitable that I’ll want functionality and/or bugfixes that come with the rollups. Defeating telemetry therefore seems like the only feasible approach going forward. I will apply Windows firewall policies to default-deny, and see if I can pinpoint responsible telemetry actors, if I can. If anyone has information, I’d love to hear about it.

@RCPete, are you using the stand-alone (free) version of Malwarebytes, or something else? On my Windows Pro x64 computers, I’m not seeing any issue with the free stand-alone MB scanner. I am running the latest MSE definitions, but I have not updated the MSE engine.

Windows Update = the engine that check, organize and offer updates
that’s it

servicing stack = the engine that handle and install updates and features components
pretty much the core of windows system since Vista

this stack needs to updated to recognize and handle some new components budled with updates

and the last SS update was in April 2015, not 2016
it become prerquisite for certain updates: KB3042058, KB3161608, KB3172605, KB3181988, and Convenience Rollup KB3125574
none of new Monthly Quality Rollups require it so far

I agree wholeheartedly with delaying installation of patches. It is excellent advice. BUT, that’s not what was said. I don’t agree that those “who question the Security updares should either not use Windows or design their own better Operating System.”

Different note…have updated two machines (8.1 & 7), one Group A and the other Group B. Both have gone smoothly. IF MS continues to issue clean patches, I could become a Group A convert. Even with your excellent Group B instructions, Group A is less of a hassle.

I use Secunia PSI on my W7 PC to make sure my installed software is patched. However, I have decided to be a member of Group B, and only install the security patches. After installing the security roll-ups, Windows Update predictably tells me that there is the Group A patch waiting to be installed. BUT, more importantly, PSI tells me that W7 and IE11 are still insecure. I suspect that this is PSI looking for the Group A patch, but I thought it should be something that others are aware of, either to correct me, or to warn people they have advised to use PSI!

The WSUS database always gives you the files in these formats. I remember analysing this in 2008 under XP and it’s the same. The Update program pulls the files with the SHA1 hash from the WSUS database onto your hard disk.

The links on Dalai’s site go to the support.microsoft.com which gives you different views of the database (files with neater names), until November at least.

I guess MS don’t consider the “security only” patches as “public facing” – they don’t want the public using them (without jumping through hoops at least), thus the lack of neater links. The corporates would always travel the WSUS database route.

Horrible to say, but that makes me feel better 🙂 I’ve never seen this happen before – I would think that updates actually complete during reboot and subsequently. It was quite strange, essentially the update looked like it never completed (Event Viewer says it had), and then the UI started to completely lose its mind. Like the HAL computer…

I’m thinking that it’s a good idea to stop the Window Update service before a manual patch install, just in case. But who knows what actually happened! Lucky it’s just my test machine 🙂

I also use Secunia’s PSI and am seeing the same results as others have noted above. So I commented on Secunia’s forum for PSI about the issue. While there I saw someone else noting a similar issue from October’s patching and they were directed to run MBSA. So I did that and found that MBSA also is not detecting MS16-142 being addressed by the application of KB3197867 (the November 2016 Security Only Quality Update for Windows 7 SP1). So that leads me to think that it is MS that has the issue in their own internal detection/tracking of which KBs address which issues and probably not PSI.

Doing the defcon 4 November patches using 8.1.
I’m at Group B Step 3, the standalone installer has been “searching for updates on this computer” for 45 minutes. I know the instructions say will take a while, but this seems like it’s stalled. Last month went just fine. Shall I wait it out or is there a problem?

Re: “I don’t agree that those “who question the Security updares should either not use Windows or design their own better Operating System.” ”

I don’t agree, either.

It is well within our customer rights (and, perhaps, responsibilities, if one is an IT-industry employee as well as a customer) to question, critique, test, and suggest improvements for IT products and services that are on the market.
And the companies who sell these products and services, if they are savvy, rational, and strategic, should welcome customer feedback and honesty.
“Like it or lump it” isn’t a recipe for success in a capitalistic marketplace (which isn’t burdened by too many monopolies/oligopolies, at least).

Due to a recent Windows Update, some people have been losing their internet search (or internet visits, I don’t remember which) history,
and that is probably the “history” that Cartel was talking about not wanting to lose (i.e., Cartel probably was not talking about his/her Windows Update history).

Woody recently wrote a blogpost here about the internet-history-hiding bug some people were experiencing after the recent Updates.

@Woody: PLEASE HELP! I have not “checked for the November updates yet”, however noticed that KB3188740 from October 11th was installed on October 30, 2016. This states that it is “Quality Rollup for NET Framework 3.5.1”.

NOW I am pulling my hair out because I note that it is listed as a “ROLLUP”. I’m sure that before I installed it I had noted it was “clear” because it was only for the NET Framework.

Here is a reference I located on “dont-install-any-updates-yet-but-heres-where-to-find-them”:

.
@ Walker & abbo ……. I stand corrected. Sorry for the misinfo.
.
Fyi, it was in April 2016 that Windows Update became broken for those who did a clean reinstall of Win 7/8.1,(Win 7 SP1) ie when M$ introduced their optional monthly Convenience Update Rollups(CUR), starting with KB3125574,(= 312MB in size for Win 7 32bit) the May 2016 CUR or Win 7 SP2.
……. After July 2016, to get Windows Update working again for a clean reinstalled Win 7, the users had to first manually install KB3020369, the April 2015 Servicing Stack Update n KB3172605, the July 2016 CUR.
……. So, the likely cause of broken Windows Update in April 2016 was the introduction of CUR or Rollups by M$. …
.https://decentsecurity.com/windows-7-fast-update/

—-
A commenter there named “James Law” wrote,
“Just checked my mrt.log and it appears that this started in September with the release of v5.40.”

—-
A commenter there named “Gary” wrote the following, and I would agree:
“MS states that the Win malicious software removal tool is NOT a replacement / alternative for dedicated anti-malware and anti-virus software.
I have good anti-malware and anti-virus software installed.
Every month, since it first appeared, I have hidden this KB because, for me, it is irrelevant.
Now it is exposed as yet another MS telemetry tool.
I sympathize with users like Dave who have found out that it is flawed and not fit for purpose.”

—-
A commenter named “Henk” cautioned,
“It looks like this very month, Microsoft sneakily changed its telemetry server addresses in order to foil users who blocked such addresses in their hosts file.”

Win7 64-bit – Woody: I’m just so confused with all these update issues. Anyway, I’m still using the old Windows Update method to download Security updates only. Started it yesterday on Nov 18th and it’s still downloading. I stopped it twice but then restarted. What the heck is going on? Guess I’ll keep it going overnight again. What to do????

I’m in group A. Win 7×64. What was ever decided about KB2952664..to install or not to install? I still have it sitting in my list from October. Also I have old KB’s that were recommended but not installed last year and some from this year. Is it okay to install those now? They are not drivers updates.

Windows Update was first broke in May 2015, and the break has nothing to do with any specific update
and Convenience Rollup KB3125574 is not even published or recognized by Windows Update, only available from MU catalog

the fix for WU issue was introduced in June 2016 rollup KB3161608, which been replaced with July rollup KB3172605

Those who question and do not install the available security updates are a danger for the internet as a whole.
This is the main reason why we see the current push for forced updates and as we see the whole industry is behind Microsoft in their attempt to resolve some of the ongoing security issues of today.

You are right that it was discussed only recently, but this is because most people had no idea about it before.
If you want to find authoritative information, you need to go to the source and not to popular sites which are very useful, but have a different role.

This log sample is from a device behind a proxy server failing to submit the report.
After October 2016, the submission was blocked as documented here https://support.microsoft.com/en-us/kb/891716 mostly to avoid network timeouts and there is no submission error logged after that date.

@poohsticks
Thanks for clarifying. I was convinced that the original post was about Windows Update history. Maybe I should read more carefully next time. 🙂
Even so, any history record is in the category of a temporary cache, so it is not quite something to rely on to a large extent. It would be preferable to be more reliable, but as we see it is not.

.
@ abbo ……. Pls refer to these links …http://windowsitpro.com/patch-tuesday/patch-tuesday-microsoft-confirms-kb3020369-culprit-stuck-installations
.https://support.microsoft.com/en-us/kb/3020369
.
.
When first released for the April 2015 Patch Tuesday for Win 7, KB3020369 was a buggy Servicing Stack Update that was causing a few problems. About 2 weeks later, M$ issued a new KB3020369 to fix the bugs n Windows Update got working normally again.
……. So, this was a buggy update that was soon fixed by M$ n Windows Update got working again, even for those who did a clean reinstall of Win 7 post-end-April 2015.
……. IOW, Windows Update was not broken since April 2015 n onward.
.
In comparison, from April 2016 onward, Windows Update was broken for those who did a clean reinstall of Win 7 unless they first manually install KB3020369 n KB3125574, the Rollup for May 2016.
……. After July 2016, KB3172605, the July 2016 Rollup replaced KB3125574 as a co-prerequisite for Windows Update.
.
Bear in mind that those who already had a running n up-to-date Win 7 system in April 2016 n had M$’s Telemetry updates installed had a normal working Windows Update, ie they did not have a broken Windows Update n did not need to install KB3125574 or Win 7 SP2.
……. Only those who had hidden M$’s Telemetry updates n did a clean reinstall experienced a broken Windows Update.

First of all I’m one of the “dummies” but I’m struggling to stay in Group B. Since Win10 appeared I visit this site regularly and I have learnt a lot since then, taking down tons of things I didn’t needed at all. The system is still working so I suppose I haven’t done any permanent damage to it.

My system is now in “Never check for updates (not recommended)” and I have always unchecked the box marked “Give me recommended updates the same way I receive important updates”.

In october (following your article – I always follow your instructions step by step) I chose to download only the “Security Only Update”.

This month I’m going to download first this month’s “Security Only Update” directly from Microsoft Update Catalog and then I suppose that it’s time to run Windows Update and start to look for the “Security and Quality Rollup for Net Framework and Security Patches for Office. (that you say it’s important too)

I know that I must look ONLY under important updates and no recommended updates and NEVER install “Security Monthly Quality Rollup”.
Once I have all my downloads in my system waiting for my permission to be installed I come back to this site to see if there is some problem with any KB I want to know about first.

Please woody could you explain to me what that is? It’s a direct download link and I don’t understand what it is.
Is it a THIRD STEP I should take after I have done the things I talked about above or is it this month’s “Security Only Update”

MY SECOND QUESTION:
I have Internet Explorer that I scarcely use (I don’t see my bank account or any of my country official organization pages right with Mozilla – don’t know how to fix that but it doesn’t bother me).

So should I download everything under “important” that I see about the Internet Explorer? I suppose I should. Or is there some KB I should avoid for any reason?

I want to thank you so much (really so much) woody and all other here in this site for all your help. I don’t know what I would do without all of you here, helping so much every month. Thanks again with all my heart.

You’re on the right track. This month’s a little easier than usual because there isn’t any .NET Framework patch, nor are there any weird additional patches. Windows Update will help with Office patches this month, but that’s about it.

First question: I’m saving you the bother of finding the update in the Catalog. If you use the link, you don’t need to mess around with the Catalog.

So far, IE patches have been rolled into the Security-only patch. That’s a change from what MS originally announced, but it makes your job much easier. No need to even look for IE patches any more.

I think I’ve discovered why some links have the long filename and some don’t. The ones that do Not have the long filenames aren’t coming from either WU or MU.

I’ve been downloading the updates & patches from links provided at Dalai’s site since February and every one of the files I’ve saved since February are in the following format “Windows6.1-KB3192319-x64.msu”… until this month.

Through October the links Dalai was providing directed to “microsoft.com” and this month the links Dalai provided are directing to “catalog.update.microsoft.com”. Likewise, the links Woody provided above direct to “download.windowsupdate.com.

Maybe they can’t be acquired through “microsoft.com” anymore? I guess that’s a question for Dalai, but at least this is making sense to me now!

Thank you, AJ and Mike; it’s nice to know I’m not a unique oddity! Because of Windows Update, I’m not too worried – I use PSI mainly for my other software. However, I am a completist, so would prefer a 100% system score!

With regards Belarc, I can not find any mention of software updates being kept track of (just a ‘software profile’), except for MS updates. Have I missed something, or would I need Belarc AND PSI, rather than replacing PSI with Belarc?

KB3020369 issue was because SSU cant’ be installed with other pending updates
the binaries was never changed from original state, they just changed WU detection rules so that KB3020369 won’t be offered with other updates

and again, that issue has nothing to do with WU long scan issue, and KB3125574 is not related in any case with WU or KB3172605

with all due respect, you are talking with the person who probably knows the most about windows updates and how they work
so please, take my correct info or don’t spread wrong info 🙂

In the past, most of us had automatic update on or delaying installing the patches for few weeks, since there were a few bad patches that often would be fixed.

So, you need to ask yourself, what changed? Microsoft’s behavior since 2015 and how they treated the patches and their attitudes to the ones who had bricked computers because of their poor quality patch. Many users since then noticed the change in computer and learned how to deal with it. The fragmentize started in large scale in 2015 and especially in 2016 because of MS, not because the users are irresponsible as you seem to think. It was a reaction to what MS has done and is doing.

I am finding it strange that you are so supportive of MS forcing updates when it was their behavior in the first place that caused this problem. Just remember how the updates used to be like before 2015 and the users’ behaviors. Remember how Woody was frustrated with the users for not getting off the Automatic Update. So please, please, stop giving the MS a free pass on this issue.

If I do the “manual download” from the (November 18th InfoWorld) link to the MS Catalog, do I stop the “update service” (click the “stop”) BEFORE I INSTALL the downloaded update from the catalog?

I haven’t seen that mentioned and just want to be certain that it “IS OR IS NOT” a requirement after the manual download from the “MS Catalog” – – – BEFORE THE UPDATE IS INSTALLED. Listed as follows on your Nov. 18th InfoWorld article:

******************************

For those in Group B, the update you want from the Microsoft Catalog is as follows:

Win7 64-bit

*********************************

I’m Group B, running Win 7, x64.

I am ready to get the updating process started and need verification before I proceed further.

The answer is easy. Stop using products that you don’t trust. It is not your design and you cannot know better. Either use the product as instructed by the manufacturer or do not use it. Like for a fridge, TV set, car and anything else. If you don’t follow the manufacturer’s instructions, you waive your right to warranty.

I’m not clear what rationale there is for advising Group A folks to check the WU box marked “Give me recommended updates the same way I receive important updates”.

I have been using WU to install the October and November patches, but I have kept that box UNchecked. Consequently, even after installing the “important” updates, I am left with 74 “optional” updates that I don’t want. Those boxes are all unchecked, which is the outcome I would want.

It strikes me that leaving the “recommended” box UNchecked still gives Group A people a fair amount of control over what gets installed by Windows Update.

One recommendation which would help me (and perhaps others) tremendously would be a link to any previous article that you intend to “CHANGE”, and to designate whether it is Infoworld, or YOUR original post changing YOUR MS-DEFCON article.

Apologies for having problems, however there are a lot of articles out there, some older than others, (going back to October 27th). I may be the only one who has had a problem.

I’m a “Group B” member with Windows 7 (64-bit) and have exactly the same problem as Jim. Every attempt I’ve made to download a security update (starting with October, then November, plus the “Win7 64-bit” link at the top) results in a Windows Update Standalone Installer window stuck on “Searching for updates to this computer…” for over an hour. I don’t know whether to leave it sitting for 2 hours (or more) or to give up.

abbodi86 responded “July 2016 rollup update KB3172614” but this answer makes no sense to me as it is the July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2.

If this helps: the last update I successfully installed was KB3177186, “Security Update for Windows 7 for x64-based Systems”. Since then the only updates I’ve managed to install are definition updates for Microsoft Security Essentials – which continued to install automatically for a time, then stopped altogether (around Nov. 3 I think it was). Since then I’ve found and installed the definition updates manually.

I believe I’m following the existing instructions (from “How to cautiously update Windows 7 and 8.1 machines”, Group B section) to the letter, but I’m really feeling stumped.

Any advice please? Is it possible that I hooped my ability to install the security updates from October 11 onward by manually installing [more recent] MSE definition updates in the meantime? Or do I just need to be more patient with that pesky “Searching for updates…” window, i.e. be prepared to wait for hours if need be?

You will get those Recommended and possible Optional updates sooner or later as part of the Rollups.
The only Optional updates which you should normally avoid are those marked as Preview as they will be delivered as part of a Security Rollup after few weeks.

.
@ abbodi ……. U said, “Windows Update was first broke in May 2015, and the break has nothing to do with any specific update”.
.
KB3020369 was the April 2015 SSU. WU was not really broken in April or May 2015. It was just the occasional buggy update from M$ which was resolved by M$ about 2 weeks later.
.
Fyi, for those who were doing clean reinstalls of Win 7 or Win 7 SP1, Windows Update was working fine in April, May 2015 n right up until April 2016 when Windows Update first became really broken.
.
B4 April 2016, after a clean reinstall of Win 7 SP1, the users could automatically download n install the 200+ pending important updates thru Windows Update.
…….After April 2016, they could no longer do so bc Windows Update became broken, eg kept on checking for updates for hours without any success. The solution was to manually install KB3020369 n KB3125574 via M$ Update Catalog or Download Center.
……. After July 2016, the solution was changed slightly. They had to manually install KB3020369 n KB3172605, the July 2016 Convenience Update Rollup. Windows Update would work again n display the 200+ pending important updates for automatic download n install.
……. Why was WU broken in April 2016.? … I suspect the KB3125574 n KB3172605 Rollups contain M$’s hidden Telemetry updates, ie M$ wanted to make sure that those who do a clean reinstall of Win 7 must hv the Telemetry “spyware” installed.

.
@ Julia ……. There are 2 ways to install KB updates, ie automatically via Windows Update or manually and ONE-BY-ONE via M$ Update Catalog.
……. The manual method usually requires WU to be disabled first by selecting “Never Check For Updates” n going to Control Panel > Administration Tool > Component Services > Local Services > Windows Update Service > disable.
.
We must remember that M$ had introduced optional monthly Convenience Update Rollups(CUR) for Win 7/8.1 in May 2016. The May 2016 CUR for Win 7, KB3125574, was like a Win 7 SP2 = 312MB in size(32bit) = contained all the 200+ pending important updates since the release of Win 7 SP1 in 2011.
……. Thereafter, the monthly CUR were cumulative, eg the July 2016 CUR, KB3172605, contained important updates for the months of May, June n July 2016.
.
In October 2016, this was changed by M$ to non-optional monthly Patch Rollups(PR) where users could no longer install updates individually or separately.
……. PR is cumulative n has to be installed automatically via Windows Update. Whereas, the Security-only Updates r not cumulative n hv to be manually installed via M$ Update Catalog.
……. Eg, the Nov 2016 PR contains security n non-security updates for the months of Sept, Oct n Nov 2016 only, ie not for the months of July or Aug 2016.
.
Since July 2016, for Windows Update to work normally, KB3020369 n KB3172605 hv to be already installed, either automatically via WU or manually via M$-UC.KB3020369 is the April 2015 Servicing Stack Update n KB3172605 is the July 2016 CUR.
……. Once WU is working normally, it will help the Win 7 users to install any missing updates n Rollups automatically, once selected.

…I’m not an expert by any means and I don’t know if you have tried this already but these are the steps that work for me.

1. Download the MSU package from the link Woody
provides.
2. Go to “Services” and from the list find “Windows
Update” and Stop the service. Exit from
Services.
3. Run the MSU package, for me this takes under 10
mins.
4. Once installed reboot the computer.
5. After reboot “Windows Update” (in Services)
should be restarted (this doesn’t happen for me
so I go and select Restart the service).

Jim uses an 8.1 computer and that is why abbodi86 provided him that patch number.

@AJ thanks for the heads up on Belarc. It’s a long time since I used it but I ran it today and you’re right, it does show my pc as fully patched, whereas Secunia still shows the MSUpdate rollup patch. So Secunia stays to monitor other software and (whilst I remain in Group B, and as Woody said originally) I’ll take the proverbial pinch of salt with what it reports on MS patches.

James, TonyS basically said what I was going to in a reply I began crafting (please excuse my having taken so long to reply).

Since a glaring red PSI icon staring from the System Tray tends to give one pause, what I have been doing on all of the Windows boxes I tend to (besides tearing out what’s left of my hair) is to exclude the OS from monitoring by the PSI, and rely on the Belarc Advisor to check the security patching integrity of the OS. One nifty feature of the Belarc Advisor is that it has the ability to detect patches that may appear to be installed, but are not actually functioning properly; on more than a few occasions, it has also found missing patches that Windows Update failed to detect (it very decently also provides links to the related KB Article, so that one can directly download the installer.

Now, another free manually-run on-demand software update detector that some may wish to add to their tool kits is Patch My PC (it will also perform the updates, but some have reported issues with that function, and in any case, I always prefer to get the installer from a known reliable site, such as the developer, Softpedia or MajorGeeks). Patch My PC’s developer solicits input from users, so additional software not yet included can be requested for addition. It is updated every few months, or so — and it is portable (no writing to the Registry).

While is was nice, clean and convenient to have just one utility that covered the various bases, it appears that (at least for the foreseeable future) that option has receded into history… .

I’m in the B group for security only patches. I’ve downloaded the stand alone installer for November, run it, and everything appears to be ok. Do I have to leave the installer package in my downloads or can I now delete it? Since it’s only in downloads rather than programme files, I assume it would be ok to delete, but with Microsoft, who knows?

I just used my printer for the first time since installing KB3197867 and discovered problems similiar to those caused by KB3177725 in August. The August problems disappeared after uninstalling KB3177725; the current problems seem to have disappeared after uninstalling the current Security Only So-Called Quality Update (which does contain an update for the borked KB3177725).

Guess it’s time to reserve a seat on the Group W bench while I seriously investigate Linux Mint.

Julia
I would say that instead of stopping the Windows Update service, you are better off by setting Windows Update to Never check for updates and leave the service alone.
The rest is as GoTheSaints says and you should be OK.

Thank you for this very helpful information. I have 2 desktops and 1 laptop to update. I used Group A formula as I did for October and everything worked fine for the 2 pc’s. It took approx. 15-20 mins. and done.

The laptop for some reason took over an hour to download the update and at the end I got a ‘failed’ notice with error code 80004005 – try again. I didn’t have the time so I shut the machine off completely. Several hours later I went in and did the routine of checking updates and it came back with the same KB3197868 update (137MB). I ran it again and this time it only took about 5 mins and whilst it was downloading it said the size of the update was only 17.5MB.

I’m not sure what happened but it seems like the part of the update that was giving the error code managed to get itself fixed somehow. It feels like I lucked out this time but I wish I knew why the laptop had a glitch but not the two desktops. In the meantime, thank you for all your helpful information.

I was looking at November’s monthly rollup, KB3197874, and it states that details for the non-security fixes included can be found in KB3185331, but that’s a regular monthly rollup. Shouldn’t it state that it’s non-security fixes are those from October’s preview rollup, KB3192404? I thought that was going to be the pattern. The previous month’s preview rollup gets rolled into the current month’s rollup. Thanks for any insight.

KB 3185330 stopped the Google search history from working. Once it was removed the search history returned. I loaded KB 3197867 which appeared to be fine, but once again the Google search history does not work. Anyone else have this problem with KB 3197687?

It was “different”. Used the InfoWorld link to DL & Install the Security Update, had a slight problem as needed to “force” the computer to close one window to get the “restart” done.

I now have NO Important Updates as I hid the Security Monthly Quality ROLLUP (KB 3197868 134.0 MB), as well as the MSRT, and Def. These were ALL CHECKED. ***I noted that the size of the MSRT AND the Definition were quite LARGE.

*********************************
In the “Optionals” None were checked.

I hid the “Preview” of the Monthly Quality ROLLUP (KB3197869) and the Preview of Quality ROLLUP for NET Framework.

I hid KB2952664 (holdover from October), which was italicized. I now only have 2 remaining holdovers from October (both italicized)

These are KB3181988, and KB3184143. Both italicized. Is it okay to hide these as I understand we don’t need any of the “Optionals”??

Thank you for any further information you may have on the “Updating”, Group B (Win7 x64). You have helped all of us so much! It is most sincerely appreciated by all of us! 🙂 🙂 🙂

I’ve downloaded the Win7 64-bit November patch (KB3197867) using Woody’s link and also directly from the Microsoft Update Catalog by searching for it from within the catalog. The two files have identical names and sizes, except that the name of the one downloaded directly from the Microsoft Update Catalog is prefixed by the characters “AMD64-all-“. If both files are coming from the same repository, why do they have slightly different names?

Maybe I am the faintist of the faint-hearted, but I still find the patchwork of patches sort of a basket-case. Moreover, there is that lingering injury: After being repeatedly beat up by MS over months and months with their poison-pill updates, I now keep them very much at arm’s distance (if not more). When (if ever) Woody goes to MS-DEFCON 5, then I will take another look. I know that in the meantime maybe I am skating on thin ice as far as security goes; but, truth be told, I feel safer without MS than with them.

(Win 10 Pro 64-bits with Carboni mods and metered connection WuShowhide run before any MS Updates)

In spite of using Metered Connection and WuShowHide to block driver updates before MS Updates can automatically download them, last weekend I got a driver update which listed below the Cumulative Update for Windows 10 Pro on my laptop. This turned out to mean that this update would be offered even in spite of my setting not to ever get a driver update through Microsoft Updates. (Once again, MS is not respecting explicit settings in Windows 10.) So naturally, this update when it downloaded, failed and stalled, causing the CU to fail to install (though it did download).

I went to the Microsoft Updates Catalog in Internet Explorer 11 (though I could have used any of the major web browsers) and downloaded the manual stand alone update for my configuration. (Win 10 v.1607, 64-bits.) I also opened up Manage my PC, went to Device Manager, clicked on the Pointing Devices, found the Device (Touchpad — long unused on this laptop) and ran Update Driver Software with Search Online (search MS Updates for the driver). The driver updated through the Device Manager. Now the problem was, had the CU begun its install routine, or was it safe to restart the laptop? I restarted, knowing I had a System Restore point and the stand alone installer for the CU to fall back on, plus a fairly recent System Image archive which tests good.

The restart took nearly a half-hour going down, and ten minutes starting up. Then I ran MS Updates again, and the driver update was gone from the current list. The CU finished installing (it was already downloaded) and another restart was called for. The downloaded stand alone installer never needed to be used. Again, the restart took a half-hour going down and ten minutes coming up, but everything lists as successfully installed now.

Take Home Lesson — if a driver lists in WuShowHide below any other type of update, HIDE it immediately and use the Device Manager if there appears to be a security reason to get the updated driver. Better yet, go to the manufacturer (if the device is still supported) and get the updated driver from there. I would have saved a half a day’s work and grief if I had known to do this.

i have to administrate 3 devices. wich all run win7 (two 64bit and one 32bit system).

since i heard that MS will force more and more involuntary updates onto costumers (and seeing the whole “bigbrother only wants the good for you” direction this society is going)

i stoped downloading WIN updates for quiet some time (on one system its really long ago probably more then a year) and the other updates are a few months back now( since i have to drive there and provide backup. you gotta love your family 😀 )

-so now i have the problem that i have system which are not updated to the point of the last “more open” updates from september2016.

On a Windows 7 system that was last updated with patches Oct. 10th, Windows Update is now running for 17 hours and counting. The system has the Win Update “speed up” patch installed. Constant cpu usage of 25% on a machine with 4 cpus. All in a copy of svchost that includes the Windows Update service.

This will get you to be fully patched until November 2016, unless you deselect on purpose the updates which are available after July 2016, which is a bit difficult. Supersedence built-in later patches would make it even more difficult.

what was confusing me is that one of them said win 7 embedded standard, and the other was win 7 64 bit. both of them were 88MB in size. im a noob to this stuff since MS starting messing things up. i followed your link for the win 7 64 bit but somehow i mixed it up with the embedded one. i almost installed it but came here first and followed the link you posted to the 64 bit win 7 so everythings all good now. thanks alot for all the info and instructions you provide man its really been helpfull

Yeah, it’s confusing. Win 7 embedded standard is something you won’t need to be concerned about. The most confusing part is that 64-bit versions are marked x64, while 32-bit versions have no distinguishing marks.

In following the instructions for Group B, in Step 6 I get one update showing up on “important” list, namely KB3138612 which is not described as a security update. I don’t have enough information from Step 6 or Step 7 of the Group B instructions as to whether to install that update or not. Apparently it’s an update for Windows 7 update client. Have people had any problems resulting from installing KB3138612, and in particular, does it contain “snooping” or “nagware”? If there hasn’t been any “snooping”, “nagware” or other problems with it, then maybe I’ll just go ahead and install it.

Author

Posts

Viewing 267 reply threads

Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

Reply To: MS-DEFCON 4: Time to get November Windows and Office patches applied

You can use BBCodes to format your content.Your account can't use Advanced BBCodes, they will be stripped before saving.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.